| Many of today's small businesses use PCs and a | | | | Experienced Threats: |
| server network to facilitate their operations. Important | | | | The respondents reported on security lapses or |
| company information is stored in electronic format on | | | | attacks that they'd experienced over the last year. |
| these networks, and daily operations are dependent on | | | | The survey showed that Trojan horses or virus |
| the network being both available and secure. In many | | | | attacks are the most common threat to the network, |
| cases, these small businesses ignore or are unaware | | | | with about half reporting experiences with these issues |
| of the risks that could compromise the safety of the | | | | in that time. The larger companies reported at 40%, |
| data. To better understand these issues, two hundred | | | | the lowest rate, which is indicative of better defenses. |
| of these small businesses were interviewed about | | | | Over 60% of the smallest companies reported |
| their network security. Companies ranged from those | | | | virus-based attacks. |
| with ten employees or less, to those with over a | | | | Loss of company information from theft or loss of |
| hundred staff members. | | | | storage devices appeared to be a minor threat for |
| Over half of the survey respondents believed that | | | | smaller companies, but this risk increases with |
| their network was adequately safe or very secure. A | | | | company size. Over 33% of the larger firms reported |
| large number of respondents did admit that they | | | | this sort of experience. Hacker attacks were most |
| doubted their defenses against an attack. This isn't too | | | | often experienced by firms with less than ten |
| surprising, as nearly all businesses have experienced | | | | employees and those with over a hundred. It seems |
| some type of security threat in the last year, from lost | | | | the smaller networks are more vulnerable, and the |
| computers or back-up takes, hacker attacks, viruses, | | | | largest ones are high-profile, with a greater chance of |
| or theft by employees. | | | | becoming a target. Unfortunately, staff members can |
| The top three threats reported were: | | | | create a security risk themselves; about 10% of |
| 1) Trojan horse or virus attacks | | | | businesses reported that they had experienced |
| 2) Stolen or lost computers, including data storage | | | | unauthorized access or theft in the allotted time frame. |
| devices | | | | Devices and Procedures: |
| 3) Employee theft or hacker attack | | | | Good procedures, processes and systems can help |
| Company defenses reported include: | | | | defend against security threats. In the survey, |
| 1) Virus Protection | | | | respondents were asked which security methods |
| 2) Firewall | | | | were in use. Most reported that they had virus |
| 3) Spyware Protection | | | | protection and firewalls. Around 25% lacked spam |
| 4) Spam Filters | | | | filters and spyware removal, leaving networks open to |
| Recommendations: | | | | malware which ranges from dangerous to annoying. |
| Most companies reported that they lacked a smart | | | | Under 50% have patch management or a smart |
| password policy, automated patch management, and | | | | password policy in place. This smart password system |
| employee network use policies. Generally, many of | | | | uses passwords with a mixture of normal and special |
| these businesses don't have full protection against an | | | | characters which are frequently changed. |
| attack, and have not yet had to put their defenses to | | | | As compared to the largest companies surveyed, |
| the test. | | | | smaller businesses are less-often implementing |
| There isn't one single fix to ensure secure continuity of | | | | network use policies for employees. Over 80% of the |
| operations on a network. However, we recommend a | | | | larger companies have defined guidelines for proper |
| layered approach in managing these pressing security | | | | and improper network use. These guidelines attempt |
| threats. This layered approach examines vulnerability in | | | | to lower the amount of network activity unrelated to |
| different areas including hardware, software, | | | | the business, which result in increased security risk. |
| processes, and training. Every layer added another | | | | Many of the respondents use wireless networks. |
| level of protection to the information environment. | | | | Wireless networks are some of the most vulnerable |
| 1) Blocking network-based attacks | | | | access points if not well-secured. Only a few |
| 2) Blocking host-based attacks | | | | companies reported that they use all the top-priority |
| 3) Eliminating vulnerability | | | | security measures listed in the survey. |
| 4) Supporting authorized users safely | | | | Testing: |
| 5) Tools for maximizing effectiveness and minimizing | | | | No security device or feature can be known to |
| losses | | | | provide real defense until it's been tested. Anti-virus |
| To assure the continuity of your business operations, | | | | specifications could be out of date, a hole could exist |
| regular testing of these security measures is required. | | | | within a firewall, or staff members could not be using |
| Level of Overall Security: | | | | the correct practices for a safe and secure network. |
| Over half the respondents stated that they thought | | | | About 25% of respondents indicated that either they |
| their network was secure enough or better. 30% of | | | | couldn't remember the last time they tested their |
| the remainder thought their network was only | | | | security, or didn't know that they ever had. This seems |
| somewhat secure, and over 10% confided that their | | | | to indicate that while many have implemented security |
| network was not as secure as it should be. | | | | defenses, they can't be assured that the expected |
| These small businesses tend to believe that their | | | | protection is actually provided. |
| network is relatively secure: 63% of businesses with | | | | The very smallest companies least-often tested their |
| less than ten employees and almost 75% of those | | | | security measures. About 10% of businesses had |
| with between eleven and twenty-five staff members. | | | | tested security, but not for over a year. As the threats |
| The larger companies were not as sure of their | | | | change over time, dangerous lapses can occur without |
| defenses, with over half of those with fifty to one | | | | periodic testing. Around 33% of respondents reported |
| hundred and 44% of those with over a hundred | | | | that they'd tested their security measures within the |
| employees felt secure or secure enough. In the | | | | last month. Validation of network security elements on |
| fifty-one to one hundred staff category, over 20% | | | | a regular basis is important to system integrity in an |
| reported that the network was not as secure as | | | | overall continuity plan. It is unfortunate that usually a |
| should be. In general, the bigger the company, the | | | | company only examines its level of exposure after a |
| larger the network - and the greater the number of | | | | damaging event which negatively affects the business. |
| security risks it must defend against. | | | | |